PHPackages bakerkretzmar/laravel-pwned-password-rule - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Validation & Sanitization](/categories/validation) 4. / 5. bakerkretzmar/laravel-pwned-password-rule AbandonedArchivedLibrary[Validation & Sanitization](/categories/validation) bakerkretzmar/laravel-pwned-password-rule ========================================= A Laravel validation rule to check passwords against Have I Been Pwned 1.0.0(5y ago)01MITPHPPHP ^7.4 Since Sep 6Pushed 5y ago1 watchersCompare [ Source](https://github.com/bakerkretzmar/laravel-pwned-password-rule)[ Packagist](https://packagist.org/packages/bakerkretzmar/laravel-pwned-password-rule)[ Docs](https://github.com/bakerkretzmar/laravel-pwned-password-rule)[ RSS](/packages/bakerkretzmar-laravel-pwned-password-rule/feed)WikiDiscussions main Synced 2d ago READMEChangelog (1)Dependencies (4)Versions (2)Used By (0) Laravel Pwned Password Rule =========================== [](#laravel-pwned-password-rule) [![Latest Version on Packagist](https://camo.githubusercontent.com/8aeef9a10da54fa727471b0384bffcb7607d22c33f665e460e1626ae92da11b3/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f62616b65726b7265747a6d61722f6c61726176656c2d70776e65642d70617373776f72642d72756c652e7376673f7374796c653d666c6174266c6162656c3d5061636b6167697374)](https://packagist.org/packages/bakerkretzmar/laravel-pwned-password-rule)[![Total Downloads](https://camo.githubusercontent.com/dde16ffcfff0df62d16ff941d3355aabb3c779d598b143155ed7e57c1f952349/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f62616b65726b7265747a6d61722f6c61726176656c2d70776e65642d70617373776f72642d72756c652e7376673f7374796c653d666c6174266c6162656c3d446f776e6c6f616473)](https://packagist.org/packages/bakerkretzmar/laravel-pwned-password-rule)[![Build Status](https://github.com/bakerkretzmar/laravel-pwned-password-rule/workflows/CI/badge.svg)](https://github.com/bakerkretzmar/laravel-pwned-password-rule/actions)[![License: MIT](https://camo.githubusercontent.com/59497bc4563dd468e37bbf539439e60cacf196f537f678b721a8efabf21c64ef/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d4d49542d626c75652e7376673f7374796c653d666c6174)](https://opensource.org/licenses/MIT) Validate passwords against the **Have I Been Pwned** database. [Have I Been Pwned](https://haveibeenpwned.com/) is a service that lets you check if any of your accounts have been compromised in a data breach. In addition to their website and account search functionality, they operate a Pwned Passwords tool that allows securely and anonymously searching just for *passwords* found in breaches. Under the hood, this validation rule queries the Pwned Passwords API and checks *if* and *how often* the value being validated appears in HIBP's breach database. **This package does NOT share your users’ passwords with third parties.** Values being validated using this rule are hashed in your application, and the first five characters of the hash are sent to the Pwned Password API. The API returns all password hash suffixes matching these five characters, and back in your application this rule determines which hash matches the value you sent. This package also supports [response padding](https://haveibeenpwned.com/API/v3#PwnedPasswordsPadding) to further obscure the API's responses to hash queries. For more information please read the launch announcement of Pwned Passwords, [Introducing 306 Million Freely Downloadable Pwned Passwords](https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/), the V2 announcement, [I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download](https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/), and the [Have I Been Pwned API documentation](https://haveibeenpwned.com/API/v3). Installation ------------ [](#installation) You can install the package with Composer: ``` composer require bakerkretzmar/laravel-pwned-password-rule ``` Usage ----- [](#usage) Use this rule like any other Laravel validation rule: ``` use Bakerkretzmar\PwnedPasswordRuled\Pwned; $request->validate([ 'email' => ['required', 'email'], 'password' => ['required', 'confirmed', 'min:12', new Pwned], ]); ``` You can also use the rule's string alias: ``` $request->validate(['password' => ['required', 'pwned']]); ``` By default, the rule will fail any value that has *ever* appeared in Have I Been Pwned's breach database, which contains over 500,000,000 passwords. To allow passwords that have been breached but don't appear in the database often, you can pass an integer to the rule as its first argument. Values appearing that many times or fewer will then pass validation. ``` // Fails for 'password', passes for 'alpaca999' which appears 3 times $request->validate(['password' => ['required', new Pwned(5)]]); // or $request->validate(['password' => ['required', 'pwned:5']]); ``` Pwned Passwords also offers additional security with optional response padding, which pads responses with fake hashes to a length of 800–1,000 lines, to defend against attacks that inspect the *size* of the response to determine how many matches the API returned. You can enable response padding by passing `true` as the second argument to this rule. ``` // Under the hood, returns at least 800 password hashes regardless of how many matched the query $request->validate(['password' => ['required', new Pwned(0, true)]]); // or $request->validate(['password' => ['required', 'pwned:0,true']]); ``` Security -------- [](#security) If you find any security related issues with this package, please email instead of submitting an issue. Credits ------- [](#credits) - [Troy Hunt](https://twitter.com/troyhunt) created and maintains Have I Been Pwned License ------- [](#license) This package is release under the MIT License. See [LICENSE.md](LICENSE.md). ### Health Score 23 — LowBetter than 27% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity1 Limited adoption so far Community7 Small or concentrated contributor base Maturity54 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 2075d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/49a7ea27b2815fb208a46e27bf867eb802bc951bb257ee5fa1097eaaf651d34e?d=identicon)[bakerkretzmar](/maintainers/bakerkretzmar) --- Top Contributors [![bakerkretzmar](https://avatars.githubusercontent.com/u/18192441?v=4)](https://github.com/bakerkretzmar "bakerkretzmar (12 commits)") --- Tags hibplaravelpasswordvalidationlaravelvalidationpasswordrulehibp ### Embed Badge ![Health badge](/badges/bakerkretzmar-laravel-pwned-password-rule/health.svg) ``` [![Health](https://phpackages.com/badges/bakerkretzmar-laravel-pwned-password-rule/health.svg)](https://phpackages.com/packages/bakerkretzmar-laravel-pwned-password-rule) ``` ### Alternatives [proengsoft/laravel-jsvalidation Validate forms transparently with Javascript reusing your Laravel Validation Rules, Messages, and FormRequest 1.1k2.3M49](/packages/proengsoft-laravel-jsvalidation)[wendelladriel/laravel-validated-dto Data Transfer Objects with validation for Laravel applications 759569.4k13](/packages/wendelladriel-laravel-validated-dto)[illuminatech/validation-composite Allows uniting several validation rules into a single one for easy re-usage 184485.5k](/packages/illuminatech-validation-composite)[schuppo/password-strength This package provides a validator for ensuring strong passwords in Laravel 4 applications. 1432.7M1](/packages/schuppo-password-strength)[galahad/laravel-addressing Laravel package providing addressing functionality 70316.6k](/packages/galahad-laravel-addressing)[timacdonald/rule-builder A fluent rule builder for Laravel validation rule generation. 1027.7k](/packages/timacdonald-rule-builder) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)